e-commercial - chapter 4

8/10/2019 E-commercial - Chapter 4

1/64

Chapter 5 Slide 1

E C T

7 0 1 0 F

un d

a m e n t a l s of E - C

omm

e r c e T

e c h n ol o

gi e sEdited by Christopher C. Yang

Authentication, Encryption,

Digital Payments, and Digital Money


2/64

Chapter 5 Slide 2

E C T

7 0 1 0 F

un d


omm

e r c e T

e c h n ol o


Learning Objectives

Understand the importance of authentication. Understand the various encryption alternatives. Differentiate between symmetric and asymmetric

encryption. Determine how and why encryption is important for e-commerce.


3/64

Chapter 5 Slide 3

E C T

7 0 1 0 F

un d


omm

e r c e T

e c h n ol o


Learning Objectives

Understand how security applies to e-mail, the Web, theintranet, and the extranet.

Appreciate how virtual private networks are relevant to thefuture of e-commerce.

Plan for strategies to fend-off security threats. List and understand various e-commerce modes of

payment.


4/64


5/64Chapter 5 Slide 5

E C T

7 0 1 0 F

un d


omm

e r c e T

e c h n ol o


Methods of Encrypting Data Translation Table

Simplest method. Easy to program Easy to break Refinements

Table rotation

Using several tables

A B C D E F G H I

C I D G A B E F H


6/64

E



E C T

7 0 1 0 F

un d


omm

e r c e T

e c h n ol o


Methods of Encrypting Data

Symmetric Key Encryption Sender and receiver share the same key. Highly efficient implementation.

Only the key decrypts the message, this assures authentication. Security is compromised if the key is divulgated.

E



E C T

7 0

1 0 F un d


omm

e r c e T

e c h n ol o


Methods of Encrypting DataAsymmetric Key Encryption

Most common Based on RSA Data Security Algorithm. Based on public keys. Composed by two keys, public and private. The public key is published. Private key encrypts the information. Public key decrypts the information. Requires more computation than symmetric method.

High Security for short messages

E


9/64

Chapter 5 Slide 9

E C T

7 0

1 0 F un d


omm

e r c e T

e c h

n ol o gi e s

Edited by Christopher C. Yang

Methods of Encrypting Data

Asymmetric Key Encryption

E


10/64

Chapter 5 Slide 10

E C T

7 0

1 0 F un d


omm

e r c e T

e c h

n ol o gi e s


Confidentiality

Confidentiality has two aims: To use the digital signature or encrypted hash function to

authenticate the identity of the sender. To protect the content of the message from eyes other than those of

the intended recipient.

Cryptography is used to implement privacy Encoded message has no apparent meaning

E


11/64

Chapter 5 Slide 11

E C T

7 0 1 0 F un d


omm

e r c e T

e c h

n ol o gi e s


Confidentiality

Two steps involved: In the first step, a clear message is encrypted.

The reverse aspect is the deciphering by the recipient. Secure Socket Layer (SSL)

Developed by Netscape for transmitting private documents via the

Internet Both supported by Netscape Navigator and Internet Explorer Many websites use SSL to obtain confidential user information,

such as credit card number.

E


12/64

Chapter 5 Slide 12

E C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Confidentiality

Many websites collect personal information but do not provide detailsabout their information practices or their use of information. Very few have disclosure notice to inform children to obtain parental

permission before divulging personal information about themselves ortheir families.

Organizations to regulate privacy practices by developing standard

technologies and procedures Government Industry Self-Regulation

Platform for Privacy Preferences Project (P3P),

http://www.w3c.org/P3P/. TRUSTe, http://www.truste.org/ Better Business Bureau Online

E


13/64

Chapter 5 Slide 13

E C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Authentication is the process of identifying an individual or a message usually based on a user name and password

or a file signature.

Authentication is distinct from authorization

E


14/64

Chapter 5 Slide 14

E C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Log-in Passwords Weak method with short passwords

E


15/64

Chapter 5 Slide 15

E C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Features commonly used to identify and authenticate anuser:

Something the user knows (e.g. password). Something the user has (e.g. token, smartcard). Something that is part of the user (e.g. fingerprint).

E


16/64

Chapter 5 Slide 16

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Digital SignatureA digital signature is a code attached to an electronically

transmitted message to identify the sender.

E


17/64

Chapter 5 Slide 17

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Digital Signature1. The sender composes the document.

2. The sender uses a hash algorithm to create a one-wayhash.3. The user uses his or her private part of a public key

system to encrypt the one-way hash to create the digitalsignature.4. The sender then combines the original document with the

digital signature to create a new signed document andsend it to the receiver


18/64

E C


19/64

Chapter 5 Slide 19

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authentication

Digital Signature

E C


20/64

Chapter 5 Slide 20

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Authorization

Gives someone permission to do or have something.

Role or privileges based system. Access lists to hardware, programs, data

E C


21/64

Chapter 5 Slide 21

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Integrity Integrity of data during transmission and storage

Content of transaction is not altered by unauthorized users In traditional network environment, integrity is presented in

Control Redundancy Check (CRC) Addresses the tampering or loss of information during a transfer File is submitted to an algorithm that generates a unique number for the message On the receiving end, the file is processed again with the same algorithm, the number generated is

compared with the original

In modern systems, hash function is a principal approach Secure Hash Algorithm (SHA-1)

Developed by National Institute of Standards and Technology as a federal information processingstandard. Takes a message as input with a maximum length of < 2 64 bits Produces a 160-bit message digest output Every bit in the hash code is a function of every bit of the input message

RSAs Message Digest (MD5) Developed by Ron Rivest and supported by RSA security (the most trusted names in e-security) Netscape Navigator supports RSAs algorithm and Microsoft Internet Explorer contains RSAs

licensed security software MD5 is most widely used secure hash algorithm Generates 128-bit message digest (however, not enough to resist brute force hacking)

RIPEMD-160 Developed in Europe Originally 128-bit algorithm, extended 160-bit


22/64

E C


23/64

Chapter 5 Slide 23

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Nonrepudiation

Nonrepudiation is a proof that a message has been sent or received.

Nonrepudiation is specially important for the secure completion of online transactions.

E C


24/64

Chapter 5 Slide 24

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Nonrepudiation

Digital Certificates (unique digital ID) can be used to verify theidentity of a person, website or JavaScript/ Java applet.

Individual or business applies for a digital certificate from a certificate

authority (CA) CA verifies the identity of the requester and issues an encrypted digitalcertificate

CA makes its own public key readily available through print publicityor on the Internet.

Use X.509 standard, approved by International TelecommunicationUnion (ITU) The certificate always include:

Public key. The name of the entity. Expiration date. The name of the certification authority (CA). The digital signature of the CA. A serial number

E C


25/64

Chapter 5 Slide 25

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Non-repudiation

In an e-commerce transaction, a customer places an order along with a certificate.The company validates the certificate with the known public key of the CA thatdelivered the certificate.When the company is certain of the customers identity, it uses his or her key toverify the order.

E C


26/64

Chapter 5 Slide 26

C T

7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


Non-repudiation Private Key Infrastructure (PKI)

E C


27/64

Chapter 5 Slide 27

T 7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s


E-mail and Internet Security

Secure Sockets Layer (SSL). Secure Electronic Transactions (SET).

Password Authentication Protocol/ ChallengeHandshake Authentication Protocol (PAP/CHAP).

Private Communications Technology (PCT). S/MIME Pretty Good Privacy (PGP).

E C


28/64

Chapter 5 Slide 28

T 7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s



Secure Sockets Layer (SSL). Created by Netscape

Widely used Messages are contained in a program layer between an

application and the Internets TCP/IP layers Uses RSAs encryption system. Uses temporary shared keys Implement Certificate Authorities (CA) Client and server certificates

E C T


29/64

Chapter 5 Slide 29

T 7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s



Secure Electronic Transactions (SET) Enables the use of electronic payment methods and provides

assurance about the identification of customers, merchants and banks. Industry protocol.

E C T


30/64

Chapter 5 Slide 30

T 7 0 1 0 F un d


omm

e r c e T

e c h n

ol o gi e s



PAP/CHAP (password authentication protocol / challenge handshake authentication protocol) Commonly used with PPP (point-to-point protocol) connections.

The router ( peer ) at one end of the link transmits a user name and password pair The router ( authenticator ) at the other end determines whether it

will accept this as identifying a valid user

With PAP the password is sent as open text, with CHAP isencrypted.

With CHAP the authentication is repeated every 10 minutes,with PAP only at connection time.


31/64

E C T


32/64

Chapter 5 Slide 32

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s



Secure multipurpose Internet mail extensions (S/MIME). Secure method of sending e-mails.

Based on MIME Authentication, message integrity and non-repudiation of origin

(digital signature), privacy and data security (encryption).

An IETF (Internet Engineering Task Force) standard RFC

1521

E C T


33/64

Chapter 5 Slide 33

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s



Pretty Good Privacy (PGP) Worlds de facto standard.

Freeware (There is also a commercial version).

E C T


34/64

Chapter 5 Slide 34

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Virtual Private Network

A virtual private network (VPN) is a network available when the user needs it.

The node can join the network for any desired function at anytime, for any length of time (on-demand networking)

Common approach: tunnel IP within IP, with some layer in between

to provide the on-demand management. Two technologies:

IP Security Protocol (IPSec) Layer Two Tunneling Protocol (L2TP)

Transport Layer Security (TLS) is used for encapsulation ofvarious higher-level protocols.

E C T


35/64

Chapter 5 Slide 35

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Virtual Private Network L2TP

LAC L2TP access concentrator - A device that the client connects and tunnel to L2TP network server (LNS)

E C T


36/64

Chapter 5 Slide 36

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Encryption Export Policy

Regulations affect the global use of encryptiontechniques.

Companies are allowed to export encryption items (butwith weak encryption)

Encryption classified as a weapon

E C T Electronic Credit Card System


37/64

Chapter 5 Slide 37

T 7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Electronic Credit Card Systemon the Internet

The Players Cardholder

Merchant (seller)

Issuer (your bank)

Acquirer (merchants financial institution, acquires the sales slips)

Brand (VISA, Master Card)

E C T Electronic Credit Card System


38/64

Chapter 5 Slide 38

7 0 1 0 F un d

a m e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


on the Internet (cont.)

The process of using credit cards offline

The authorization of card issuanceby the issuer bank, or its designatedbrand company, may requirecustomers physical visit to an office.

A cardholder requests the issuanceof a card brand (like Visa andMasterCard) to an issuer bank inwhich the cardholder may have anaccount.

A plastic card is physicallydelivered to the customersaddress by mail. The card can be in effect as the

cardholder calls the bank forinitiation and signs on the back ofthe card.

The cardholder shows the cardto a merchant to pay a

requested amount. Then themerchant asks for approvalfrom the brand company.

Upon the approval, the merchantrequests payment to the merchantsacquirer bank, and pays fee for theservice. This process is called acapturing process

The acquirer bank requests the

issuer bank to pay for the creditamount.

E C T


39/64

Chapter 5 Slide 39

7 0 1 0 F un d

a m

e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Cardholder Merchantcreditcard

Card Brand Company

Payment authorization, payment data

Issuer Bank

CardholderAccount

Acquirer Bank

MerchantAccount

account debit data payment data

payment data

amount transfer

Credit Card Procedure (offline and online)

E C T

S El i T i (SET) P l


40/64

Chapter 5 Slide 40

7 0 1 0 F un d

a m

e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Secure Electronic Transaction (SET) Protocol

1. The message is hashed to a prefixed length of message digest.

2. The message digest is encrypted with the senders private signature key, and a digitalsignature is created.

3. The composition of message, digital signature, and Senders certificate is encryptedwith the symmetric key which is generated at senders computer for everytransaction. The result is an encrypted message. SET protocol uses the DESalgorithm instead of RSA for encryption because DES can be executed much fasterthan RSA.

4. The Symmetric key itself is encrypted with the receivers public key which was sent to

the sender in advance. The result is a digital envelope.

Senders Computer

40

E C T

Senders ComputerSenders Private


41/64

Chapter 5 Slide 41

7 0 1 0 F un d

a m

e n t a l s of

E - C omm

e r c e T

e c h n

ol o gi e s


Signature Key

SendersCertificate

+

+

Message

Digital Signature

ReceiversCertificate

Encrypt

SymmetricKey

EncryptedMessage

ReceiversKey-Exchange Key

Encrypt

DigitalEnvelope

Message

Message Digest

41

EncryptedMessage

DigitalEnvelope

E C T Secure Electronic Transaction (SET) Protocol


42/64

Chapter 5 Slide 42

7 0 1 0 F un d

a m

e n t a l s of E - C

omm

e r c e T

e c h n

ol o gi e s


5. The encrypted message and digital envelope are transmitted to receivers computer via

the Internet.6. The digital envelope is decrypted with receivers private exchange key.7. Using the restored symmetric key, the encrypted message can be restored to the message,

digital signature, and senders certificate.

8. To confirm the integrity, the digital signature is decrypted by senders public key,obtaining the message digest.9. The delivered message is hashed to generate message digest.10. The message digests obtained by steps 8 and 9 respectively, are compared by the

receiver to confirm whether there was any change during the transmission. This stepconfirms the integrity.

Receivers Computer

Secure Electronic Transaction (SET) Protocol(cont.)

42


43/64

E C T


44/64

Chapter 5 Slide 44

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Electronic Wallet Electronic Wallet, also known as digital wallet

keep customers certificate in his or her PC or IC card A consortium of companies including Visa, MaterCard, JCB, and

American Express

established a company called SETCo performs the interoperability test and issues a SET Mark as aconfirmation of interoperability

IC card allows customers to use the embedded certificate on any

computer with reader attached contact IC card or contactless IC card

E C T 7


45/64

Chapter 5 Slide 45

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


IC Card Reader

Customer xCustomer y

With Digital WalletsCertificateAuthority

Electronic Shopping Mall

Merchant A Merchant B

Credit Card Brand

ProtocolX.25

Payment Gateway

Entities of SET Protocol in Cyber Shopping

E C T 7


46/64

Chapter 5 Slide 46

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


SET Vs. SSLSecure Electronic Transaction(SET) Secure Socket Layer (SSL)

Complex SimpleSET is tailored to the credit cardpayment to the merchants.

SSL is a protocol for general-purpose secure messageexchanges (encryption).

SET protocol hides thecustomers credit cardinformation from merchants, andalso hides the order informationto banks, to protect privacy. Thisscheme is called dual signature.

SSL protocol may use acertificate, but there is nopayment gateway. So, the

merchants need to receive boththe ordering information andcredit card information,because the capturing process

should be initiated by themerchants.


47/64


48/64

E C T 7 Debit Cards


49/64

Chapter 5 Slide 49

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


A delivery vehicle of cash in an electronic form

also known as check card credit card - pay later debit card - pay now, immediately deducted from you checking or

saving account

many ATM cards has the features of a debit card

E C T 7 Financial EDI


50/64

Chapter 5 Slide 50

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


It is an EDI used for financial transactions EDI is a standardized way of exchanging messages between

businesses

EFT can be implemented using a Financial EDI system Safe Financial EDI needs to adopt a security scheme used

for the SSL protocol

Extranet encrypts the packets exchanged between sendersand receivers using the public key cryptography

E C T 7

Electronic Cash and Micropayments


51/64

Chapter 5 Slide 51

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Stored Value Cards and Electronic Cash small transaction

minimum charge of credit cards

Smart Cards The concept of e-cash is used in the non-Internet environment Plastic cards with magnetic stripes (old technology) Includes IC chips with programmable functions on them which makes cards

smart One e-cash card for one application Recharge the card only at designated locations, such as bank office or a kiosk.

Future: recharge at your PC

e.g. Mondex & VisaCash

E C T 7

Mondex Makes Shopping Easy


52/64

Chapter 5 Slide 52

7 0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Shopping with Mondex

Adding money to the card

Payments in a new era of electronicshopping

Paying on the Internet

Shopping with Mondex

Adding money to the card

Payments in a new era of electronic

shopping Paying on the Internet

E C T

7 0

Electronic Money


53/64

Chapter 5 Slide 53

0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


DigiCash

The analogy of paper money or coins electronic bills, each with a unique identification prevent duplication of bills

Expensive, as each payment transaction must be reported to the bank

and recorded Conflict with the role of central banks bill issuance Legally, DigiCash is not supposed to issue more than an electronic gift

certificate even though it may be accepted by a wide number ofmember stores

E C T

7 0

Electronic Money (cont.)


54/64

Chapter 5 Slide 54

0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


y

Stored Value Cards

No issuance of money Debit card a delivering vehicle of cash in an electronic form Either anonymous or onymous Advantage of an anonymous card

the card may be given from one person to another

E C T

7 0

Electronic Money (cont.)


55/64

Chapter 5 Slide 55

0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Smart card-based e-cash Can be recharged at home through the Internet Can be used on the Internet as well as in a non-Internet environment

Ceiling of Stored Values To prevent the abuse of stored values in money laundry S$500 in Singapore; HK$3,000 in Hong Kong

Multiple Currencies Can be used for cross border payments

E C T

7 0

Contactless IC Cards


56/64

Chapter 5 Slide 56

0 1 0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Proximity Card Used to access buildings and for paying in buses and other

transportation systems Bus, subway and toll card in many cities

Amplified Remote Sensing Card Good for a range of up to 100 feet, and can be used for tolling

moving vehicles at gates Pay toll without stopping (e.g. Highway 91 in California)


57/64

E C T

7 0

Electronic Check Systems


58/64

Chapter 5 Slide 58

0 1

0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Check

Signature

RemittanceInvoice

Secure Envelope

Remittance

Check

SignatureCertificateCertificate

Remittance

Secure Envelope

Certificate

CertificateEndorsement

CertificateCertificate

Signature CardSignatureCard

Workstation

Mall statementE-Check line item

Payers Bank Debit account Payees Bank

Credit account

E- Mail

WWW

ACH

ECP

Clear Check

Payer Payee

E-mail

AccountReceivable

Procedure of Financial Service Technology Consortium Prototype

Deposit check

E C T

7 0

Electronic Check Systems (cont.)


59/64

Chapter 5 Slide 59

0 1

0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Electronic Checkbook Counterpart of electronic wallet

To be integrated with the accounting information system of business buyers and with the payment server of sellers To save the electronic invoice and receipt of payment in the buyers and

sellers computers for future retrieval

Example : SafeCheck Used mainly in B2B

E C T

7 0 F D it d Cl i g S i b


60/64

Chapter 5 Slide 60

0 1

0 F un d

a m


omm

e r c e T

e c h n

ol o gi e s


Four Deposit and Clearing Scenarios by

FSTC (Financial Services Technology Consortium)

E C T

7 0

Payerscheckbook

Payeescheck-receipt


61/64

Chapter 5 Slide 61

0 1 0 F

un d

a m


omm

e r c e T

e c h n

ol o gi e s


agent

p

agentPayer Payee

Issue a check Receipt

A/CDB

A/CDB

controlagent of

payers bank

controlagent of

payees bank

clearing

Checkbook,

screened result Request ofscreening check issuance

present

report

payers bank payees bank

Internet

The Architecture of SafeCheck

E C T

7 0 1

Integrating Payment Methods


62/64

Chapter 5 Slide 62

1 0 F

un d

a m


omm

e r c e T

e c h n ol o


Two potential consolidations: The on-line electronic check is merging with EFT The electronic check with a designated settlement date is merging with

electronic credit cards

Security First Network Bank (SFNB) First cyberbank Lower service charges to challenge the service fees of traditional banks

Visa is experiment with VisaCash and ePay VisaCash is a debit card ePay is an EFT service

E C T

7 0 1


63/64

Chapter 5 Slide 63

1 0 F

un d

a m


omm

e r c e T

e c h n ol o gi e s


Links www.echeck.org

www.echecksecure.com www.safecheck.com www.ecoin.com www.mondex.com www.paypal.com person-to-person payments

www.c2it.com Citibank

E C T

7 0 1

How Many Cards are Appropriate?
http://www.echeck.org/http://www.echecksecure.com/http://www.safecheck.com/http://www.ecoin.com/http://www.mondex.com/http://www.paypal.com/http://www.c2it.com/http://www.c2it.com/http://www.paypal.com/http://www.mondex.com/http://www.ecoin.com/http://www.safecheck.com/http://www.echecksecure.com/http://www.echeck.org/


64/64

Chapter 5 Slide 64

1 0 F un d

a m


omm

e r c e T

e c h n ol o gi e s


An onymous card is necessary to

keep the certificates for credit cards, EFT, and electronic checkbooks

The stored value in

IC card can be delivered in an anonymous mode

One-Card system

e-commercial - chapter 4

Documents